Feature Proposal: Improve security of password reset.

Motivation

There are a number of open tasks around Reset Password. It reveals information about the account being reset, and changes the password without confirmation.

Description and Documentation

Change the Password Reset function to generate a reset token and email it to the user requesting the reset.
  • Very short lifetime reset token. Default 10 minutes. (May need to be longer for users who greylist.)
  • If user ignores the email, then nothing is done, and the password is not reset.
  • Token should allow access to only the Change Password page.

Addresses:
  • Item10206: It's too easy to reset another user's password
  • Item556: Allow password reset by entering email address.
  • Item9420: Reset password should not be permitted for base mapper users.
  • Item2071: Reset password gives away too much information

Examples

Impact

%WHATDOESITAFFECT%
edit

Implementation

I've not yet decided on an implementation. But I'm thinking that:
  • The token will cause a login, but with an access restriction.
  • Any other URL will force the user back to the change page.
  • Once password is changed, the restriction will be removed.
  • User will not have to re-login after changing the password.

The "Token Auth" will be implemented in Foswiki::LoginManager::loadSession()
  • cryptographic token stored in working/tmp/tokenauth_xxxxxxxxx using Storable
  • Set AccessRestriction={webname.topicname} as a session variable.
Access check implemented in Foswiki::UI::checkAccess(). If the URL for the request doesn't match the AccessRestriction, redirect to the AccessRestriction topic.

   $hash =  {
            'cUID'                     => 'JoeUser',
             expires                   =>  time() + (configurable seconds)
            'FOSWIKI_TOPICRESTRICTION' => 'System.ChangePassword',
          };

This would accomplish a few things:

This may also be a good time to move UI::Password and UI::Manage functions for changing password and email, and the password reset function into a REST handler.

-- Contributors: GeorgeClark - 30 Sep 2017

Discussion

Need to remove the context => support. Since context doesn't persist, it doesn't make much sense.

-- GeorgeClark - 07 Oct 2017
 
Topic revision: r8 - 06 Feb 2018, GeorgeClark
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy